New Retail Breach: 'Low-and-Slow' Attack

Houston-based liquor store chain Spec's says its network was attacked by malware back in October 2012, and the the intrusion, which exposed card data and other information, may have continued until as late as March 20, 2014. The attack wasn't revealed until last week at the request of law enforcement officials, the company says.

Spec's spokeswoman Jenifer Sarver says suspicions of a breach date back to early 2013, when a major U.S. card issuer alerted law enforcement of potential fraud linked back to cards used at Spec's.

"During the same time period, one of the major payment card brands notified First Data, our credit card processor, of irregular activity on credit card accounts that had been used at certain Spec's stores," Sarver adds.

Spec's then hired security firm Fishnet Security to investigate the possibility of a breach and shore up the retailer's network security, she says. Spec's also replaced cash registers at 29 of the affected stores that are still open, she adds.

"The attackers were sophisticated and took a number of intricate steps to avoid detection," Sarver says. "We have disabled and removed the malware that was illegally placed on our systems. We had a request from law enforcement that was in place until this week, asking us to hold our disclosure, as they are still tracking the criminal responsible for this attack."

Spec's, which has 155 stores, estimates that fewer than 550,000 customers were impacted by the breach. "That figure was determined by comparing the total number of transactions at the 34 affected stores during the relevant time period compared to the total number of transactions at all stores during the same period," Sarver says.

The information exposed during the breach may include certain payment card information, such as name, card number, expiration date and/or the card verification security code; check information, such as bank account number, routing number, date of birth and/or driver's license number, also may have been exposed, the company says in a statement.

Spec's did not comment about whether PINs associated with debit transactions were affected.

Sarver notes, however, that certain personally identifiable information - including name, address, phone number and Social Security number - for about 8,900 employees also was likely exposed.

Spec's is offering those affected by the breach a year's worth of free fraud resolution services from AllClear ID.

'Low and Slow' Attacks

So-called "low-and-slow" attacks, such as the Spec's breach, are becoming increasingly common as the malware used to attack retailers gets more difficult to immediately detect, security experts say. They also say it's unlikely the Spec's breach is related to Target Corp.'s point-of-sale network breach in late 2013, which also involved malware.

One executive who works with a leading card issuer on the West Coast, who asked to remain anonymous, says fraud linked to Spec's customers has been too low to raise flags. The executive's issuing institution, which serves portions of Texas, has seen fraudulent transactions linked to that region of the country, but the losses have not been "hot enough" to garner attention.

Gartner analyst and financial fraud expert Avivah Litan says many more low-and-slow attacks, like the Spec's breach, are likely ongoing and not yet identified.

"It's under the radar if it's not big enough for the issuers to notice," Litan says. "That means it takes time to detect. And if it's been a year and a half, and if it's only a half million cards, it would take a while to notice."

John Buzzard, who oversees FICO's Card Alert Service, says it's not surprising that attacks are going undetected for significant stretches of time.

"Malware designers like to mimic file names and other attributes that are already in the native environment where their malware will reside," Buzzard says. "Customization allows the malware to hide out in the open, more or less, because it may appear to be something as banal as 'inventory log,' which could easily be a common file name that any retailer might have in their system."

Link to Other Breaches?

Most emerging strains of retail-focused malware, such as BlackPOS, have been very difficult to detect, Buzzard adds.

"This breach might have been something similar to the BlackPOS malware that was incredibly difficult to detect and contain," Buzzard says. "It might have been custom-made for this particular retailer."

BlackPOS was blamed for the early 2013 attack on Hawaii restaurant chain Roy's Holdings Inc. Some researchers also raised the possibility that BlackPOS was also used in the Target attack. But Litan says: "The BlackPOS malware out there for sale is similar to what was used against Target, but what actually hit Target was very customized."

In the case of Spec's, Litan believes that BlackPOS, rather than more customized malware, is probably to blame for the attack.

"BlackPOS was seen for first time in late 2012, so given the timeline, that could have been what hit this liquor store [chain]," she says.

Making a connection between the Spec's attack and Target is probably a stretch, Litan and others say.

One cyberintelligence source who asked not to be named says he's 90 percent certain the Spec's breach is not related to Target. And Buzzard says the industry has to be careful about linking breaches before the forensics investigations are complete.

"We are all so sensitive to the Target breach that I think we tend to just assume that everything is related," Buzzard says. "But we won't know for quite some time."

Al Pascual, a senior analyst for consultancy Javelin Strategy & Research, says many U.S. retailers are facing the same struggles as Spec's.

"Hackers are getting more educated about fraud detection systems and are slowly trickling out stolen card data, rather than selling huge dumps all at once," Pascual says. "We can be assured that hundreds, if not thousands, of merchants are compromised today and we just don't know it."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;